JFrog Bridge

📘

Subscription Information

This feature is supported with the Enterprise+ license.

Overcoming Network Security Barriers in Hybrid Environments

Hybrid JFrog deployments combine SaaS JPDs in the JFrog cloud with Self-managed JPD servers hosted on your premises, behind corporate firewalls.

JFrog Federation services are a growing number of JFrog offerings that automatically sync repositories, access information, and distribution processes across multiple JPDs. Large subscriptions benefit from centralized, consistent, hands-off management of access, security, and SDLC processes.

Federated features need SaaS and Self-managed JPDs to communicate and sync - but in hybrid deployments, corporate security policies often block inbound connections to private infrastructure. Behind the firewall, Self-managed JPDs cannot participate in federated services.

To solve this, the JFrog Bridge establishes secure, persistent communication between SaaS JPDs and JPDs hosted behind on-premises firewalls. To comply with security policies, the Bridge reverses the connection direction — the Self-managed JPD initiates an outbound TCP connection to the SaaS JPD. Once established, the Bridge connection is transparent to higher-level workflows. Platform services communicate as over a direct connection.

This method offers several advantages:

No inbound firewall exceptions: The Bridge Client on the Self-managed JPD initiates private outbound connections to the SaaS JPD using standard HTTP. No inbound ports or firewall exceptions are required.

No VPN or complex network infrastructure: The Bridge operates as an application layer tunnel. Without site-to-site VPNs, cloud peering, or private link configurations, infrastructure costs and operational overhead are significantly reduced..

End-to-end security with existing certificates: Bridge connections and forwarded API requests authenticate using the Self-managed JPD’s own CA certificates. Existing trust boundaries are maintained without third-party certificate dependencies.

Proxy support: Bridge services inherit the platform's default proxy configuration, and administrators can reconfigure proxy settings per bridge.

Configurable auto-scale: Each Bridge dynamically adds independent TCP tunneling sessions based on traffic demand, within configured ranges.

Granular topology management: Each Bridge can be stopped, restarted, edited, deleted, blocked, or unblocked independently at the SaaS or Self-managed JPD, using the Platform UI or REST APIs.

Observability: The Bridge Client and Server expose APIs for health checks (liveness/readiness), Prometheus metrics, debug snapshots, and support bundles. Bridge services write to standard JFrog service logs, and TRACE-level logging can be enabled.

Common Use Cases

Services on the SaaS JPD use the encrypted, persistent JFrog Bridge connection to forward requests to the Self-managed JPD. This allows sync of on-premises JPDs with other JPDs in Federated multisite services.

Access Federation: The SaaS JPD forwards identity and access management requests through the Bridge to the Self-managed JPD for centralized user, group, and permission management across the entire hybrid topology.

Repository Federation: When a Federated repository on the SaaS JPD includes Self-managed JPDs, the Bridge enables artifact sync between SaaS and Self-managed JPDs.

Distribution to Self-managed edge nodes: The Distribution service on the SaaS JPD forwards release bundles and management requests through the Bridge to Self-managed Edge node JPDs at remote, protected sites.

How JFrog Bridges Work